Internet connectivity issue with firewall

Unanswered Question
May 11th, 2009
User Badges:

We recently had a T1 put in by qwest with them providing static ip address's and a qwest basic router. We are currently running a ASA 5505 behind the router, and a Linksys wireless router behind the ASA 5505.


The issue at hand is I went through the wizard to setup our firewall with the static IP address. Pretty basic figuring we just wanted to test it.


From the Firewall ASDM software I can ping websites, but from my PC I am not able to get out to the web.


The error I get is as follows

portmap translation creation failed for udp src inside:192.168.1.2/49286 dst outside:205.xyz.2.65/53


The 205 address is the DNS servers qwest has provided to us. So I am a little confussed why its going there and not our outside IP.


Here is my config, file.


interface Vlan1

nameif inside

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 65.xyz.153.146 255.255.255.248

!

interface Vlan3

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 205.xyz.3.65

name-server 205.xyz.2.65

domain-name default.domain.invalid

access-list VPN standard permit 192.168.1.0 255.255.255.0

access-list VPN standard permit 10.10.10.0 255.255.255.0

access-list outside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 65.xyz.153.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.10 inside

dhcpd dns 205.xyz.3.65 205.xyz.2.65 interface inside

dhcpd enable inside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 05/11/2009 - 12:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

You are not translating your internal addresses to routable addresses on the Internet. You have this in your config -


nat (inside) 1 0.0.0.0 0.0.0.0


you need a corresponding global statement. Add this to your config -


global (outside) 1 interface


Jon

John Blakley Mon, 05/11/2009 - 12:16
User Badges:
  • Purple, 4500 points or more

I missed you by "that much" Jon :)


John

Jon Marshall Mon, 05/11/2009 - 12:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

At least we both gave the same advice :-)

John Blakley Mon, 05/11/2009 - 12:16
User Badges:
  • Purple, 4500 points or more

Two things:


1.) You may want to check with the provider to make sure they bridged the router that's in front of your ASA. If they didn't, you won't be able to get out :-)


2.) You're missing "global (outside) 1 interface"


What the last line does is match up with your nat statement. The nat statement tells the ASA that anyone who arrives on the inside interface gets natted, but it doesn't have anything to nat to because you're missing the global statement.


HTH,

John



jlight80911 Mon, 05/11/2009 - 12:25
User Badges:

I completly overlooked that. Thank you for the quick reply everyone, I will go test it right now!


Thanks again!

Actions

This Discussion